LGTM2 On 10/4/23 6:38 AM, Yoav Weiss wrote:
LGTM1Usage seems low enough to make this safe still. On Friday, September 29, 2023 at 2:24:11 AM UTC+2 Jun Kokatsu wrote: Contact emails [email protected] Explainer None Specification https://github.com/w3c/webappsec-cspee/pull/28/files <https://github.com/w3c/webappsec-cspee/pull/28/files> Summary Removes a special treatment for same-origin iframes from CSP Embedded Enforcement. This aligns the behavior of enforcing CSP Embedded Enforcement for cross-origin iframes and same-origin iframes. Blink component Blink>SecurityFeature>ContentSecurityPolicy <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> Motivation The same-origin blanket enforcement logic specific to same-origin iframes exposes a new way to block certain resources from loading in the iframe. This allowed an attack which was not possible before (example <https://github.com/google/google-ctf/tree/master/2023/quals/web-biohazard/solution#reviving-xss-auditor-primitive>). Additionally, this caused a bug <https://github.com/w3c/webappsec-cspee/issues/26>where CSP nonce value enforced by CSPEE from a top frame had to exactly match nonce value served in grand-child frame, if the top frame and child frame are cross-origin, but child frame and grand-child frame are same-origin. Given this part of blanket enforcement is rarely used (~0.000017% <https://chromestatus.com/metrics/feature/timeline/popularity/4599>), let's remove this logic. Initial public proposal None TAG review None TAG review status Not applicable Risks Interoperability and Compatibility None Gecko: Positive <https://github.com/mozilla/standards-positions/issues/878> WebKit: No signal <https://github.com/WebKit/standards-positions/issues/251> Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>? Yes <https://github.com/web-platform-tests/wpt/pull/41926> Flag name on chrome://flags None Finch feature name None Non-finch justification None Requires code in //chrome? False Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1263288 <https://bugs.chromium.org/p/chromium/issues/detail?id=1263288> Estimated milestones M120 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5098158594195456 <https://chromestatus.com/feature/5098158594195456> --You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org?utm_medium=email&utm_source=footer>.
-- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c1c64694-fd27-47fb-8f72-5b3aa102b20d%40chromium.org.
